Seeing that more than a few folks here are having computer security issues, I thought I'd lend a hand and offer some tips. Dayjob for me is computer security, even though I'd much rather sweep the floor in Blair or Barry's shop. I could go on forever, but I'll keep it to the important stuff. If you've got questions, feel free to ask here or send me a private message. I'll focus on Windows users, though the principles will apply to all computers.
Principles:
Keep your software updated. As the bad guys find bugs and ways to hack us, the good guys fix them; take advantage of those fixes! If your software has automatic update features, by all means, enable it, unless you know
FOR CERTAIN than an update will break something you need, and in that case, just hold the update that breaks your stuff and let the rest go. This is something worth being religious about.
Engage your brain. If it sounds too good to be true, or it doesn't pass the smell test, don't click on it, run it, or open it. Almost nothing is free on the Internet, pretty much anything calling itself free isn't (with a few open source software exceptions) and requires you to give your valuable information up to get what they offer, which they will be happy to sell for money to an advertiser or hacker. This is more difficult to control when you may be fielding emails from strangers, but vigilance will keep you clean.
Protect your computer. Run antivirus. Make sure your email is integrated with your (or some) antivirus, Gmail is pretty good with this. Enable your firewall. Run an adblocker (this is a biggie, most automated 'clickless' hacks are Adobe Flash based advertisements, and Adobe Flash gets hacked REGULARLY).
Windows specific stuff:
Turn on Windows Update, and let it download and install updates automatically. New updates are released on the first Tuesday of the month, and it's a
rare month indeed when there aren't updates. Your computer should greet you Wednesday morning with a message that it updated itself. If it didn't, go check it manually.
Upgrade to the latest version of Adobe Flash Player and enable automatic updates when it asks. You need this if you view YouTube videos, or to view about 90% of the dynamic content on the 'net. Since it's very popular, it's also a HUGE hacker target. Unfortunately it's also poorly written from a security standpoint (a bit like connecting rods with grade 3 bolts), so bugs are often found by the bad guys before the good guys find them (called zero-day exploits). Be careful while you're downloading, you don't want the extra downloads that they offer, like McAfee Security Scanner or whatnot.
Upgrade to the latest version of Oracle Java and enable automatic updates when it asks. This is another bastard stepchild that never seems to get updated, and it's often exploited in advertisements. Don't forget to uninstall the old versions. Watch for the extra downloads and uncheck those.
If you don't have a reliable self-updating antivirus, I strongly suggest downloading and installing Microsoft Security Essentials. It's free (yes, really free) for personal use. In my opinion it is superior because it integrates completely with the operating system, it
never nags you to buy something, and it doesn't slow your machine as much as others I've tested. If you install MSE, uninstall your old antivirus first.
Run AdBlock Plus (and pop-blocker with the same name). This is the absolute best adblocker I've found, and it's free. The only drawback: you must use Google Chrome or Mozilla Firefox to run it. Sorry to the folks that support their businesses with online advertising companies, but until Flash and Java are rewritten or abandoned, this is a necessary security precaution. Be careful that you don't get an 'alternative', there are lots of adblockers out there with similar names... the name I gave is the
exact one to use.
Update Adobe Reader, and secure it. This used to be a bigger target, but it's improved a great deal. Reader X (version 10) has two security pieces you'll want to enable: automatic updating, and disabling Acrobat JavaScript. Acrobat JavaScript is rarely used, and is the last substantial security hole remaining in it, so go to Edit -> Preferences -> JavaScript, and uncheck 'Enable Acrobat JavaScript'. If a PDF file bellyaches about it, you can always re-enable if your content comes from a trusted source. Don't forget, Edit -> Preferences -> Updater, select 'Automatically install updates'.
The last suggestions are configuration pieces in the Control Panel. From Network and Internet -> Internet Options, 'General' tab, select 'use blank' for your home page. This is a bit like a canary in a mineshaft, as it will tell you if someone has changed your home page, the first stage to many different kinds of hacks, plus if your Internet connection is offline, it won't hang forever. The last are on the 'Advanced' tab in the 'Security' section. Check 'Do not save encrypted pages to disk', and check 'Empty Temporary Internet Files folder when browser is closed'; these temporary storage areas are often used to hide and keep viruses active on your computer in an area that is rarely checked. If you clean them up every time you close your browser, they can't easily be kept alive by other processes. Also in the 'Security' section, disable SSL 2.0 (the encryption is weak), and check all TLS versions that are available (they are actually quite resistant to interception). From Control Panel -> System -> Advanced Settings _> Performance -> Data Execution Prevention, select 'Turn on DEP for all programs and services except those I select'. This is the suspenders for your antivirus, and keeps programs from tampering with that, or other system pieces. This won't be available on very old computers.
If you do get infected despite having all this stuff set correctly, I suggest using Malwarebytes Anti-Malware Free to help clean things up:
http://www.malwarebytes.org/products/malwarebytes_free/
I hope this helps you fellas that have been having troubles, and helps keep the rest of you clean!
Chad
